Not sure what you mean. I would think its like any other MT device in between the modem and the router.
Use vlans,
a. one vlan to accept the internet traffic so as to terminate the incoming on the router
b. one vlan to manage the far end of the wireless wire.
Thus no exposure to the internet.
Assuming that the modem is just an ONT, and not accessible by you at all.
Create two vlans on the router, your management vlan may or should already exist aka a trusted vlan.
As per any Router OS,
on the router you have a dedicated trunk port to the closer device aka port X,
so bridge port X, allow only vlan tagged data.
vlanYY is for incoming internet interface is port X going to close wireless wifi device.
vlanMGMT (66) is for managing all MT devices.
Ip dhcp client
interface=vlanyy
bridge vlans
add bridge=bridge tagged=bridge,portX vlan-id=YY
add bridge=bridge tagged=bridge,portX vlan-id=66 ( other tagged ports if going to other smart devices on the network or perhaps untagged to a port on the router as well ).
As far as the WW goes, never used one but I would approach as a basic ap / switch.
only need to identify vlanMGT, the rest are only data streams being transferred transparently in this case the internet traffic. SO
bridge port A (from router) trunk port vlan tagged only
bridge port WLAN tagged only
vlan bridge add bridge=bridge tagged=portA,WLAN vlanids=YY,66
++++++++++++++++++++++++++++++++++++++++++++++++
FAR END same same
only need to identify vlanMGT, the rest are only data streams being transferred transparently in this case the internet traffic. SO
bridge port B (modem) trunk port vlan tagged only
bridge port WLAN vlan tagged only
vlan bridge add bridge=bridge tagged=portB,WLAN vlanids=YY,66
That should get you the idea……….
I would look for any youtube videos for connecting this niche stuff